Pkcs 11 Library Mac

24-05-2021
 |  [RAND-100] - Comments

1. Download the DMG

Download the latest release of OpenSC.

2. Install the PKG

Lite Security Module: a daemon to handle Secure Boxes (files containing cryptographic keys, X509 certificates and data objects), accessible through a PKCS#11 library, supporting non-certified (lite) Software or Hardware Security Modules (www.clizio.com). Please consult your vendor documentation to find out if your cryptographic device includes such a PKCS#11 implementation, how to configure it, and what the name of the library file is. The Sun PKCS#11 provider supports a number of algorithms, provided that the underlying PKCS#11 implementation offers them. Jan 26, 2009 Mac (Leo) include preinstalled drivers for this reader. From Athena's support have got 'MAC OS-X PKCS#11 library for ASECard Crypto' - midlleware software. After that in Keychain Access utility I can see all certificates from my smartcard.

Pkcs 11 Library Mac Download

Opening the DMG-file loads the OpenSC bundle into Finder. Open the contextual menu of the installation package (e.g. use a two-finger tap on trackpad) and choose Open. Skip the warning about the package's origin and follow the installation guide.

Since we aren't currently signing the installation package, double clicking cannot be used to install OpenSC.

3. Test your installation

Upon successful installation, OpenSC is installed in /Library/OpenSC, the tokend module was registered and links to the OpenSC tools have been created in /usr/local/bin.

The PKCS#11 modules have been installed as /Library/OpenSC/lib/opensc-pkcs11.so and /Library/OpenSC/lib/onepin-opensc-pkcs11.so (copies of the libraries are available in /usr/local/lib).

You may test tokend support of you card with Keychain Access. The app should list your smart card in the Keychains pane on the upper left side. Click the lock to verify the smart card PIN and to allow access to the card's keys.

You may test the PKCS#11 support of your card with

4. Customize your configuration

Change the default configuration file /Library/OpenSC/etc/opensc.conf to your needs. The configuration options are explained within this file.

Pkcs 11 Library Mac Os

5. Uninstall OpenSC

From the OpenSC bundle double click the OpenSC Uninstaller. Alternatively, run the following from the command line:

User-level applications in the Oracle Solaris cryptographic frameworkaccess PKCS #11 functions through the cryptoki library,which is provided in the libpkcs11.so module. The pkcs11_softtoken.so module is a PKCS #11 Soft Token implementation that is providedby OracleCorporation to supply cryptographic mechanisms. The softtoken plug-in is the default source of mechanisms. Cryptographic mechanismscan also be supplied through third-party plug-ins.

This section lists the PKCS #11 functions and return values that are supportedby the soft token. Return codes vary depending on the providers that are pluggedinto the framework. The section also describes some common functions. Fora complete description of all the elements in the cryptoki library,refer to libpkcs11(3LIB) or to PKCS #11: CryptographicToken Interface Standard on the RSA Laboratories web site.

Ensure that directbindings are used for all providers. See ld(1) and the Linker and Libraries Guide formore information.

PKCS #11 Function List

The following list shows the categories of PKCS #11 functions thatare supported by pkcs11_softtoken.so in the Oracle Solaris cryptographicframework with the associated functions:

  • General purposeC_Initialize(), C_Finalize(), C_GetInfo(), C_GetFunctionList()

  • Session managementC_OpenSession(), C_CloseSession(), C_GetSessionInfo(), C_CloseAllSessions(), C_Login(), C_Logout()

  • Slot and token managementC_GetSlotList(), C_GetSlotInfo(), C_GetMechanismList(), C_GetMechanismInfo(), C_SetPIN()

  • Encryption and decryptionC_EncryptInit(), C_Encrypt(), C_EncryptUpdate(), C_EncryptFinal(), C_DecryptInit(), C_Decrypt(), C_DecryptUpdate(), C_DecryptFinal()

  • Message digestingC_DigestInit(), C_Digest(), C_DigestKey(), C_DigestUpdate(), C_DigestFinal()

  • Signing and applying MACC_Sign(), C_SignInit(), C_SignUpdate(), C_SignFinal(), C_SignRecoverInit(), C_SignRecover()

  • Signature verificationC_Verify(), C_VerifyInit(), C_VerifyUpdate(), C_VerifyFinal(), C_VerifyRecoverInit(), C_VerifyRecover()

  • Dual-purpose cryptographic functionsC_DigestEncryptUpdate(), C_DecryptDigestUpdate(), C_SignEncryptUpdate(), C_DecryptVerifyUpdate()

  • Random number generationC_SeedRandom(), C_GenerateRandom()

  • Object managementC_CreateObject(), C_DestroyObject(), C_CopyObject(), C_FindObjects(), C_FindObjectsInit(), C_FindObjectsFinal(), C_GetAttributeValue(), C_SetAttributeValue()

  • Key managementC_GenerateKey(), C_GenerateKeyPair(), C_DeriveKey()

Functions for Using PKCS #11

This section provides descriptions of the following functions for using PKCS #11:

MacNote –

All the PKCS #11 functions are available from libpkcs11.so library.You do not have to use the C_GetFunctionList() functionto get the list of functions available.

PKCS #11 Functions: C_Initialize()

C_Initialize() initializes the PKCS#11 library. C_Initialize() uses the following syntax:

pInitArgs is either the null value NULL_PTR or else a pointer to a CK_C_INITIALIZE_ARGS structure.With NULL_PTR, the library uses the Oracle Solaris mutexesas locking primitives to arbitrate the access to internal shared structuresbetween multiple threads. Note that the Oracle Solaris cryptographic frameworkdoes not accept mutexes. Because this implementation of the cryptoki libraryhandles multithreading safely and efficiently, using NULL_PTR isrecommended. An application can also use pInitArgs toset flags such as CKF_LIBRARY_CANT_CREATE_OS_THREADS. C_Finalize() signalsthat the application is through with the PKCS #11 library.

Note –

C_Finalize() should never be called by libraries.By convention, applications are responsible for calling C_Finalize() toclose out a session.

In addition to CKR_FUNCTION_FAILED, CKR_GENERAL_ERROR, CKR_HOST_MEMORY,and CKR_OK, C_Initialize() uses the following return values:

  • CKR_ARGUMENTS_BAD

  • CKR_CANT_LOCK

  • CKR_CRYPTOKI_ALREADY_INITIALIZED (not fatal)

PKCS #11 Functions: C_GetInfo()

C_GetInfo() uses manufacturer andversion information about the cryptoki library. C_GetInfo() uses the following syntax:

C_GetInfo() returns the following values:

  • cryptokiVersion = 2, 11

  • manufacturerID = Sun Microsystems, Inc.

Pkcs 11 Library Mac Torrent

In addition to CKR_FUNCTION_FAILED, CKR_GENERAL_ERROR, CKR_HOST_MEMORY,and CKR_OK, C_GetInfo() gets the following return values:

  • CKR_ARGUMENTS_BAD

  • CKR_CRYPTOKI_NOT_INITIALIZED

PKCS #11 Functions: C_GetSlotList()

C_GetSlotList() uses a list of availableslots. If no additional cryptographic providers have been installed otherthan pkcs11_softtoken.so, then C_GetSlotList() returnsthe default slot only. C_GetSlotList() uses the followingsyntax:

When set to TRUE, tokenPresent limits the searchto those slots whose tokens are present.

When pSlotList is set to NULL_PTR, C_GetSlotlist() returns the number of slots only. pulCount isa pointer to the location to receive the slot count.

When pSlotList points to the buffer to receivethe slots, *pulCount is set to the maximum expectednumber of CK_SLOT_ID elements. On return, *pulCount isset to the actual number of CK_SLOT_ID elements.

Typically, PKCS #11 applications call C_GetSlotList() twice.The first time, C_GetSlotList() is called to get the numberof slots for memory allocation. The second time, C_GetSlotList() iscalled to retrieve the slots.

Note –

The orderof the slots is not guaranteed. The order of the slots can vary with eachload of the PKCS #11 library.

In addition to CKR_FUNCTION_FAILED, CKR_GENERAL_ERROR, CKR_HOST_MEMORY,and CKR_OK, C_GetSlotlist() gets the following return values:

Pkcs 11 Library Machine

  • CKR_ARGUMENTS_BAD

  • CKR_BUFFER_TOO_SMALL

  • CKR_CRYPTOKI_NOT_INITIALIZED

PKCS #11 Functions: C_GetTokenInfo()

C_GetTokenInfo() gets informationabout a specific token. C_GetTokenInfo() uses the followingsyntax:

slotID identifies the slot for the token. slotID has to be a valid ID that was returned by C_GetSlotList(). pInfo is a pointer to the location toreceive the token information.

If pkcs11_softtoken.so is the only installed provider,then C_GetTokenInfo() returns the following fields andvalues:

  • label – Sun Software PKCS#11 softtoken.

  • flags – CKF_DUAL_CRYPTO_OPERATIONS, CKF_TOKEN_INITIALIZED, CKF_RNG, CKF_USER_PIN_INITIALIZED, and CKF_LOGIN_REQUIRED, which are set to 1.

  • ulMaxSessionCount – Set to CK_EFFECTIVELY_INFINITE.

  • ulMaxRwSessionCount - Set to CK_EFFECTIVELY_INFINITE.

  • ulMaxPinLen – Set to 256.

  • ulMinPinLen – Set to 1.

  • ulTotalPublicMemory set to CK_UNAVAILABLE_INFORMATION.

  • ulFreePublicMemory set to CK_UNAVAILABLE_INFORMATION.

  • ulTotalPrivateMemory set to CK_UNAVAILABLE_INFORMATION.

  • ulFreePrivateMemory set to CK_UNAVAILABLE_INFORMATION.

In addition to CKR_FUNCTION_FAILED, CKR_GENERAL_ERROR, CKR_HOST_MEMORY,and CKR_OK, C_GetSlotlist() gets the following returnvalues:

  • CKR_ARGUMENTS_BAD

  • CKR_BUFFER_TOO_SMALL

  • CKR_CRYPTOKI_NOT_INITIALIZED

  • CKR_SLOT_ID_INVALID

The following return values are relevant for plug-ins with hardwaretokens:

  • CKR_DEVICE_ERROR

  • CKR_DEVICE_MEMORY

  • CKR_DEVICE_REMOVED

  • CKR_TOKEN_NOT_PRESENT

  • CKR_TOKEN_NOT_RECOGNIZED

PKCS #11 Functions: C_OpenSession()

C_OpenSession() enables an applicationto start a cryptographic session with a specific token in a specific slot. C_OpenSession() uses the following syntax:

Pkcs11 Library Maven

slotID identifies the slot. flags indicateswhether the session is read-write or read-only. pApplication isa pointer that is defined by the application for use in callbacks. Notify holds the address of an optional callback function. phSession is a pointer to the location of the session handle.

In addition to CKR_FUNCTION_FAILED, CKR_GENERAL_ERROR, CKR_HOST_MEMORY,and CKR_OK, C_OpenSession() gets the following returnvalues:

  • CKR_ARGUMENTS_BAD

  • CKR_CRYPTOKI_NOT_INITIALIZED

  • CKR_SLOT_ID_INVALID

  • CKR_TOKEN_WRITE_PROTECTED (occurs withwrite-protected tokens)

The following return values are relevant for plug-ins with hardwaretokens:

  • CKR_DEVICE_ERROR

  • CKR_DEVICE_MEMORY

  • CKR_DEVICE_REMOVED

  • CKR_SESSION_COUNT

  • CKR_SESSION_PARALLEL_NOT_SUPPORTED

  • CKR_SESSION_READ_WRITE_SO_EXISTS

  • CKR_TOKEN_NOT_PRESENT

  • CKR_TOKEN_NOT_RECOGNIZED

PKCS #11 Functions: C_GetMechanismList()

C_GetMechanismList() getsa list of mechanism types that are supported by the specified token. C_GetMechanismList() uses the following syntax:

slotID identifies the slot for the token. pulCount is a pointer to the location to receive the number ofmechanisms. When pMechanismList is set to NULL_PTR,the number of mechanisms is returned in *pulCount.Otherwise, *pulCount must be set to the size of thelist and pMechanismList points to the buffer to holdthe list.

When PKCS #11 Soft Token is plugged in, C_GetMechanismList() returnsthe following list of supported mechanisms:

Idgo 800 Pkcs#11 Libraries Mac

  • CKM_AES_CBC

  • CKM_AES_CBC_PAD

  • CKM_AES_ECB

  • CKM_AES_KEY_GEN

  • CKM_DES_CBC

  • CKM_DES_CBC_PAD

  • CKM_DES_ECB

  • CKM_DES_KEY_GEN

  • CKM_DES_MAC

  • CKM_DES_MAC_GENERAL

  • CKM_DES3_CBC

  • CKM_DES3_CBC_PAD

  • CKM_DES3_ECB

  • CKM_DES3_KEY_GEN

  • CKM_DH_PKCS_DERIVE

  • CKM_DH_PKCS_KEY_PAIR_GEN

  • CKM_DSA

  • CKM_DSA_KEY_PAIR_GEN

  • CKM_DSA_SHA_1

  • CKM_MD5

  • CKM_MD5_KEY_DERIVATION

  • CKM_MD5_RSA_PKCS

  • CKM_MD5_HMAC

  • CKM_MD5_HMAC_GENERAL

  • CKM_PBE_SHA1_RC4_128

  • CKM_PKCS5_PBKD2

  • CKM_RC4

  • CKM_RC4_KEY_GEN

  • CKM_RSA_PKCS

  • CKM_RSA_X_509

  • CKM_RSA_PKCS_KEY_PAIR_GEN

  • CKM_SHA_1

  • CKM_SHA_1_HMAC_GENERAL

  • CKM_SHA_1_HMAC

  • CKM_SHA_1_KEY_DERIVATION

  • CKM_SHA_1_RSA_PKCS

  • CKM_SSL3_KEY_AND_MAC_DERIVE

  • CKM_SSL3_MASTER_KEY_DERIVE

  • CKM_SSL3_MASTER_KEY_DERIVE_DH

  • CKM_SSL3_MD5_MAC

  • CKM_SSL3_PRE_MASTER_KEY_GEN

  • CKM_SSL3_SHA1_MAC

  • CKM_TLS_KEY_AND_MAC_DERIVE

  • CKM_TLS_MASTER_KEY_DERIVE

  • CKM_TLS_MASTER_KEY_DERIVE_DH

  • CKM_TLS_PRE_MASTER_KEY_GEN

In addition to CKR_FUNCTION_FAILED, CKR_GENERAL_ERROR, CKR_HOST_MEMORY,and CKR_OK, C_GetSlotlist() uses the following return values:

  • CKR_ARGUMENTS_BAD

  • CKR_BUFFER_TOO_SMALL

  • CKR_CRYPTOKI_NOT_INITIALIZED

  • CKR_SLOT_ID_INVALID

The following return values are relevant for plug-ins with hardwaretokens:

  • CKR_DEVICE_ERROR

  • CKR_DEVICE_MEMORY

  • CKR_DEVICE_REMOVED

  • CKR_TOKEN_NOT_PRESENT

  • CKR_TOKEN_NOT_RECOGNIZED

Pkcs 11 Library Mac Torrent

Extended PKCS #11 Functions

In addition to the standard PKCS #11 functions, two convenience functionsare supplied with the Oracle Solaris cryptographic framework:

Extended PKCS #11 Functions: SUNW_C_GetMechSession()

SUNW_C_GetMechSession() isa convenience function that initializes the Oracle Solaris cryptographic framework.The function then starts a session with the specified mechanism. SUNW_C_GetMechSession() uses the following syntax:

The mech parameter is used to specify the mechanismto be used. hSession is a pointer to the session location.

Internally, SUNW_C_GetMechSession() calls C_Initialize() to initialize the cryptoki library. SUNW_C_GetMechSession() next calls C_GetSlotList() and C_GetMechanismInfo() to search through the available slots for a token with the specifiedmechanism. When the mechanism is found, SUNW_C_GetMechSession() calls C_OpenSession() to open a session.

The SUNW_C_GetMechSession() only needs to be calledonce. However, calling SUNW_C_GetMechSession() multipletimes does not cause any problems.

Extended PKCS #11 Functions: SUNW_C_KeyToObject

SUNW_C_KeyToObject() createsa secret key object. The calling program must specify the mechanism to beused and raw key data. Internally, SUNW_C_KeyToObject() determinesthe type of key for the specified mechanism. A generic key object is createdthrough C_CreateObject(). SUNW_C_KeyToObject() nextcalls C_GetSessionInfo() and C_GetMechanismInfo() toget the slot and mechanism. C_SetAttributeValue() thensets the attribute flag for the key object according to the type of mechanism.